Upload
rockys11
View
875
Download
1
Tags:
Embed Size (px)
Citation preview
Security in Next Generation Networks1
Fundamentals of Security in Fundamentals of Security in Next Generation NetworksNext Generation Networks
Igor Faynberg
Igor Faynberg, Security in NGN2
Outline Outline
Scope and purpose; NGN vs. the InternetIntroduction to general network security
issuesCryptography, digests, and digital
signaturesAuthentication protocolsCommunication security with application
examplesSocial issues
Igor Faynberg, Security in NGN3
Scope and purposeScope and purpose
This tutorial is just – an introduction into a very large field– description of basic problems and general
review of the existing solutionsIt should help you decide
– whether you need to learn more– where to look for more information– what you need to do yourself and what you
can trust others to do for you
Igor Faynberg, Security in NGN4
Next Generation Networks vs. Next Generation Networks vs. the Internetthe Internet
The Internet was designed and built by people who wanted a great tool; they had never thought (until 1989) that someone would think up Denial of Service (DOS)
The Internet was concerned with very few applications in mind (file transfer, e-mail)—no one even thought about e-commerce, VoIP, IPTV, etc. at the onset
As the result, the Internet security was put in reactively and… late
• NGN must support many new resource-intensive applications in networks that will connect mutually distrusting organizations
• It takes a small percentage of hostile mischief to do considerable damage
• The society and its major institutions will depend on the NGN security
Igor Faynberg, Security in NGN5
NGN NGN Subsystem Architecture Subsystem Architecture OverviewOverview
Other MultimediaSubsystems …
Based on3GPP IMS R6
(RTSP-based)Streaming services
(SIP-based) IP Multimedia Subsystem
(Core IMS)
IP ConnectivityAccess NetworkAnd related subsystems
PS
TN
(SIP-I based)PSTN/ISDN Emulation
Subsystem
Applications
IP
Resource and Admission Control
Subsystem
Core Transport Network
Access TransportNetwork
GWGWGW
Network Attachment Subsystem
GW
Igor Faynberg, Security in NGN6
Security may mean…Security may mean…
Limitation of data disclosurePrivacyAnonymous communicationsPrevention of changing data in transitLaw enforcement
– destruction of pirated content– tracking criminals– monitoring enemy’s communications
Igor Faynberg, Security in NGN7
Basic Network Security IssuesBasic Network Security Issues Confidentiality
– Keeping information secret from unintended users Authentication
– Confirming the identity of the presenter of the information Authorization
– Determining whether a user may be given a resource Non-repudiation
– A property that no party that has signed a contract can later deny having signed it
Integrity– Ensuring that a message received was the one that was actually
sent
People had (more or less) learned how to deal with these issues in “normal” life. But how do we deal with them in the e-world?
Igor Faynberg, Security in NGN8
ITU-T Recommendation X.805ITU-T Recommendation X.805Security Architecture—the foundation Security Architecture—the foundation
of NGN Security studiesof NGN Security studies
X.805_F3
Acc
ess
cont
rol
Infrastructure security
Services security
End-user planeControl plane
Management plane
THREATS
VULNERABILITIES
8 Security dimensions
ATTACKS
Dat
a co
nfid
enti
alit
y
Com
mu
nic
atio
n s
ecu
rity
Dat
a in
tegr
ity
Ava
ilab
ility
Pri
vacy
Au
then
tica
tion
Non
-rep
ud
iati
on Destruction
Disclosure
Corruption
Removal
Interruption
Security layersApplications security
Igor Faynberg, Security in NGN9
An example: E-mail…An example: E-mail…
Can you send a message that is truly private?
Do you know who really sent you a message?
Can you be sure that the message you know was sent to you by a friend was not modified in transit?
Can you send a truly anonymous message?
Igor Faynberg, Security in NGN10
Another example: Buying on-lineAnother example: Buying on-line
Can you be sure that the information you are supplying (including your credit card number and code—which proves your possession of the card) is not reached by a thief?
Can you be really sure that you are paying to the real merchant?
Can you buy anonymously? Can you deny the payment after receiving the
product (i.e., can the merchant prove that you have ordered the product)?
Igor Faynberg, Security in NGN11
Ciphers
Ensuring Confidentiality, Integrity, Ensuring Confidentiality, Integrity, and Non-Repudation: Cryptography and Non-Repudation: Cryptography
(secret) (writing)
Certificates
Key Distributio
n
Symmetric-Key Algorithms
Public-Key Algorithms
Digital Signatures
Igor Faynberg, Security in NGN12
Ciphers and CodesCiphers and Codes
Cipher: an atom-for-atom (e.g., character-for-character or bit-for-bit) transformation of the plaintext into ciphertext.
Code: replaces longer strings (e.g., words or sentences with symbols)
Igor Faynberg, Security in NGN13
Basics of CryptographyBasics of Cryptography
All algorithms must be public; only the keys are secret. August Kerckhoff, 1883.
Igor Faynberg, Security in NGN14
Intruders and CryptanalysisIntruders and Cryptanalysis
An intruder listens to all communications and it may copy or delete any message– An active intruder modifies some messages
and re-inserts them– A passive intruder just listens
To decrypt a message without having a key, an intruder practices the art of cryptanalysis
Igor Faynberg, Security in NGN15
Classification of CiphersClassification of Ciphers
Substitution ciphers– Cesar’s cipher– Affine transformation ciphers
Transposition ciphersOne-time padBlock ciphersExponentiation ciphers
– RSA
Igor Faynberg, Security in NGN16
Substitution CiphersSubstitution Ciphers Each symbol is replaced by another symbol (Example: with Latin alphabet, in monoalphabetic substituion, the key is a 26-letter string that represents the substituting permutation of the alphabet, so 26! keys are available)Case study: Caesar cipher (A -> D, B -> E, C->F, …Z->C ), or
ord (s) = [ord(s) + 3] mod 26.
Letters are packed in equal blocks to prevent cryptanalysis based on the word length
Igor Faynberg, Security in NGN17
Case Study: Cesar’s CipherCase Study: Cesar’s Cipher
Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Ciphertext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
THIS MESSAGE IS TOP SECRET THISM ESSAG EISTO PSECR ET
19 7 8 18 12 | 4 18 18 0 6 | 4 8 18 19 14 | 15 18 4 2 17 | 4 19|
22 10 11 21 15 | 7 21 21 3 9 | 7 11 21 22 17 | 18 21 7 5 20 | 7 22
WKLVP HVVDJ HLVWR SVHFU HW
Igor Faynberg, Security in NGN18
Affine Transformation Ciphers Affine Transformation Ciphers
Substitution ciphers are easy to break with a relatively small amount of ciphertext, using statistical properties of the language (frequency of letters, digrams, trigrams, etc.)
More general:
• C = P + k (mod 26) is a shift transformation cipher;
• C = aP + b (mod 26), where (a, 26) = 1, is an affine transformation cipher
• φ(26) = 12 choices for a, 26 choices for b, altogether 312 transformations•Inverse is computed as P = a’(C-b) (mod 26), where
aa’ ≡ 1 (mod 26)
Key: (a, b)
Igor Faynberg, Security in NGN19
A Cryptanalysis Example A Cryptanalysis Example
Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Frequency 7 1 3 4 13 3 2 3 8 <1 <1 4 3 8 7 3 <1 8 6 9 3 1 1 <1 2 <1
The frequencies of occurrence of letters in English text:
Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Frequency 1 0 4 5 1 3 0 0 0 1 0 1 1 1 0 7 2 2 2 3 0 0 1 2 3 2
Analysis of the frequencies of occurrence of letters in the ciphertext:
Ciphertext: YFXMP CESPZ CJTDF DPQFW QZCPY NTASP CTYRX PDDLR PD
(Suppose, we know that shift transformation cipher was used)
Guess: P(7) = E(13) => 15 = 4 + k (mod 26) => k = 11.
Plaintext: NUMBE RTHEO RYISU SEFUL FOREN CIPHE RINGM ESSAG ES
(NUMBER THEORY IS USEFUL FOR ENCIPHERING MESSAGES)
Igor Faynberg, Security in NGN20
Transposition CipherTransposition Cipher All symbols are reordered according to a permutation specified
by the key
Example: ILOVEY the key—must have no repeated symbols 2345 16 the relative order of each symbol in the key
LETUSM plaintext is written in rows of the key’s size EETTON IGHTXY the last row is padded 1 2 3 4 5 6 SOXLEIEEGTTHUTTMNY (ciphertext is written in columns permuted in
the order of key’s symbols)
Transposition ciphers can also be broken by guessing the key size and using statistical analysis when the cryptanalyst knows that it is a transposition cipher.
Igor Faynberg, Security in NGN21
Any bit sequence the size of plaintext can be a key. Each bit of plaintext is XOR-ed with the corresponding bit of the key to produce a bit of the ciphertext
One-Time Pad CipherOne-Time Pad Cipher
011
100
10(XOR)+
EK DK=
)()( xyyxyx Plaintext: 001110011010010110
Key: 100100100111110110Ciphertext: 101010111101100000
Example:
One-time Pad is unbreakable; however key distribution is a big problem…
(Quantum cryptography may help!)
Igor Faynberg, Security in NGN22
Block Ciphers (Affine Transformation)Block Ciphers (Affine Transformation)
Key:– A is a square integer matrix of order n such
that (|A|, 26) = 1– B is an n-vector of integers
The ciphertext is split into blocks of length n; the last block is padded
For each block P, compute C = (AP + B) (mod 26)
Igor Faynberg, Security in NGN23
A Llittle Detour:A Llittle Detour: Three Facts of the Three Facts of the Elementary Number TheoryElementary Number Theory
Euler’s Theorem: If m > 0 and a and m are integers, such that (a, m) = 1, then
aφ(m) ≡ 1 (mod m).
Let a, b, and m be integers, m > 0 and (a, m) = d. If d | b, then the equation ax ≡ b (mod m) has exactly d incongruent solutions; otherwise, it has no solutions.
Fermat’s Little Theorem: If p is prime and a > 0 is an integer, which is indivisible by p, then ap-1 ≡ 1 (mod p).
Igor Faynberg, Security in NGN24
Exponentiation CiphersExponentiation CiphersAfter Pohlig and Hellman, 1978: p is a prime The key, e > 0 satisfies: (e, p-1) = 1
Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
1. Group the resulting numbers into blocks of 2m decimal digits, where m is the largest even integer such that the decimal value of each block is less than p
2. For each plaintext block, P, compute a ciphertext block C = Pe(mod p)
3. To decipher, find d such that de ≡ 1 (mod p-1) and compute P = Cd(mod p)Cd ≡ Ped P ≡ Pk(p-1)+1 ≡ [P (p-1)]kP ≡ P (mod p) (By Fermat’s Little Theorem)
Igor Faynberg, Security in NGN25
Exponentiation Ciphers: An ExampleExponentiation Ciphers: An Example p = 2633; the key e = 29; (e, p-1) = (29, 2632) = 1; Block length is 4 (m=2)
Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER
1907 0818 0818 0013 0423 0012 1511 0414 0500 1304 2315 1413 0413 1908 0019 0814 1302 0815 0704 1723
190729 ≡ 2199 (mod 2633)
2199 1745 1745 1206 2437 2425 1729 1619 0935 0960 1072 1541 1701 1553 0735 2064 1351 1794 1841 1459
d = 2269
2269*2622 ≡ 1 (mod 2622)
21992269 ≡ 1907 (mod 2633)
Igor Faynberg, Security in NGN26
Exponentiation Ciphers—Major Exponentiation Ciphers—Major PropertiesProperties
For encryption each plaintext block P, we use O([ln p]3) operations. Ditto for decryption (including finding an inverse d of e module p-1)
Cryptanalysis cannot be done rapidly. To discover the key e (knowing the prime p) takes—to the best of the present knowledge—exp([ln p ln ln p]1/2 operations (The Discrete Algorithm Problem).
Special cases (when p-1 has only small prime factors) exist, where it is possible to compute the discrete algorithm in O(ln3 p); these have to be carefully avoided when choosing p.
If p has 100 decimal digits, finding logarithms module p requires about 74 years; if it has 200 digits, about 3800000000 years are required!
Igor Faynberg, Security in NGN27
One Immediate Application: One Immediate Application: The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm
Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time.
Let • p be a large prime• a be an integer relatively prime to p
These are known to all!
Pick k1 relatively prime to p-1
pypay k 11 0),(mod1
Pick k2 relatively prime to p-1
pypay k 22 0),(mod2
pKpapyK kkk 0),(mod)(mod 212
1pKpapyK kkk 0),(mod)(mod 121
2 =
Igor Faynberg, Security in NGN28
A Simple Example of a DH A Simple Example of a DH ExchangeExchange
p =17a = 2
k1 = 3
8)17(mod8)(mod11 pay k
k2 = 5
15)17(mod32)(mod22 pay k
9)17(mod32768)(mod2
1 pyK k9)17(mod3375)(mod1
2 pyK k
=
Igor Faynberg, Security in NGN29
The Diffie-Hellman Exchange among The Diffie-Hellman Exchange among n n partiesparties
Let • p be a large prime• a be an integer relatively prime to p
These are known to all!
kn relatively prime to p-1
pypay ik
ii 0),(mod
k2 relatively prime to p-1
1...
,
,,,
),(mod)(mod
...
;),(mod)(mod
;),(mod)(mod
1
21
nkkk
i
kkkktstsi
kkkjij
ipapyY
tsipapyY
jipapyK
nii
nn
tsii
jii
Broadcast:
Compute and broadcast:
k1 relatively prime to p-1
Pick: Pick:
Pick:Compute:
nkkk ipapyK nii
n
),(mod)(mod 1
1
...
Igor Faynberg, Security in NGN30
Fundamental Principles of Fundamental Principles of CryptographyCryptography
Redundancy– Ensure that the cipher space is larger than the
actual problem space in the plaintext (DOS!)
Freshness– Ensure that a receiver can establish that a
message is fresh (not a replay of another message)
ID (0-7) ID space (0-1024)
But don’t overdo it—ease of cryptanalysis!
Igor Faynberg, Security in NGN31
Modern Modern SymmetricSymmetric-Key Algorithms-Key Algorithms
Combine transpositions and substitutions and cascade them to make the algorithms very complex (to prevent cryptanalysis even when large amounts of ciphertext are available)
Often use block ciphers
ED KK
4-bit transposition (T)
SS
SS
SST
S
T
S
T
Cascading into a product
4 to 2 encoder
2-bit substitution (S)
T
2 to 4 decoder
Igor Faynberg, Security in NGN32
Some Common Symmetric-Key Some Common Symmetric-Key Cryptographic AlgorithmsCryptographic Algorithms
(after A. Tanenbaum)(after A. Tanenbaum)
Cipher Key size (bits) Characteristics
Rijndael 128-256 Best
Triple DES 168 Second best
Serpent, Twofish 128-256 Very strong
IDEA 128 Good (but patented)
RC5 128-256 Good (but patented)
RC4 1-2048 Some keys are weak
DES 56 Weak
Igor Faynberg, Security in NGN33
Public-Key CryptographyPublic-Key Cryptography
A (public key, private key) pair– Publish the public key (= encryption key)– Keep the private key (= decryption key) secret
Two essential requirements:1) 2) It is very hard (i.e, computationally infeasible) to
obtain from – To send a message M to you, I send – You decrypt it, obtaining:
EK
DK
.))(( MMKK ED
IKK ED
DK EK);(MKE
Igor Faynberg, Security in NGN34
RSA (Rivest, Shamir, Adleman)RSA (Rivest, Shamir, Adleman) Parameters: p, q, n, z, d, e
– Choose, large (1024 bits) primes: p, q– Compute n = pq, z = φ(n) = (p-1)(q-1)– Choose the exponent e relatively prime to z – Find d: ed ≡ 1(mod z)
Keys: public, (e, n); private, (d, n); Encryption and decryption:
– Brake the plaintext into largest equal even-digit blocks (P) shorter than n bits
– Encrypt each block P by computing C = E(P) ≡ Pe (mod n)
– Decrypt C by computing D(C) ≡ Cd (mod n) ≡ Ped (mod n) ≡ Pkφ(n)+1 (mod n) ≡
Pkφ(n) P(mod n) ≡ P(mod n)
Euler’s Theorem:
If n > 0 and e and d are integers, such that (a, m) = 1, then aφ(m) ≡ 1 (mod m).
The probability that P and n are not relatively prime is extremely low!
Igor Faynberg, Security in NGN35
RSA: An ExampleRSA: An Example p = 43, q=59; n = 43*59 = 2357; φ(n) = 42*58 =2436 Exponent e = 13; (e, φ(n) ) = (13, 42*58) = 1; Block length is 4
Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
PUBLIC KEY CRYPTOGRAPHY
1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423
152013 ≡ 95 (mod 2537)
0095 1648 1410 1299 0811 2333 2132 0370 1185 1457 1084
937* 13 ≡ 1 (mod 2436)
0095937 ≡ 1520 (mod 2537)
d = 937
E(P) ≡ Pe (mod n)
P ≡ Cd (mod n)
Public key: (13, 2357)
Private key: (937, 2357)
Igor Faynberg, Security in NGN36
Analysis of RSAAnalysis of RSA 100-digit primes p and q, the encryption
exponent e, and its inverse, d, can be found in a few minutes of computer time. Now, both keys are ready!
Modular exponentiation for encryption can be performed in a few seconds when the modulus, exponent, and base have as many as 200 digits
Decryption (private key operations) takes longer, in general
Any known method of finding d from e and n is based on factoring n
The security of RSA is based on the difficulty of factoring large integers
Igor Faynberg, Security in NGN37
Properties of RSAProperties of RSA
The algorithm is secure because of the difficulty of factoring N. Factoring a 500-digit number should take 1025 years using a CPU with 1 microsecond instruction time
Encryption and decryption are inverse and commutative (an important property for digital signatures)
The algorithm is slow (compared to DES and other symmetric algorithms with much shorter keys)
RSA may be prohibitively slow when dealing with large blocks of data. It is typically used for one-time session key distribution for a symmetric-key algorithm (such as triple-DES)
Igor Faynberg, Security in NGN38
Typical use of RSA for Key Distribution Typical use of RSA for Key Distribution in Symmetric Cryptography (hybrid in Symmetric Cryptography (hybrid
encryption)encryption)Sender randomly generates K, and sends:
Receiver
1. Decrypts K using the private key
2. Decrypts the message using DK
Plaintext encrypted with the symmetric-key algorithm EK
K, encrypted using RSA with the public key of the receiver
+
Igor Faynberg, Security in NGN39
Other Public-Key AlgorithmsOther Public-Key Algorithms Knapsack (Merkle and Hellman, 1978)—based on NP-completeness of the Knapsack
problem– Was the first public-key algorithm, but is considered unsecure and not used
El Gamal (1985) is based on difficulties computing discrete algorithms– More computationally-intensive than RSA– Is totally unencumbered by copyright and patents
RSA– Users can have problems with proper generation of primes (some primes or pseudo-primes
may aid factoring)– not appropriate for use in situations where key generation occurs regularly – Patents expired
Elliptic-Curve Cryptography (ECC) (Miller and Koblits, 1985) hinges on the intractability of the discrete logarithm problem in the algebraic system defined on the elliptic curve points
– Uses smaller keys than RSA or El Gamal– Is significantly faster than RSA (for the same security) – Is patented
Igor Faynberg, Security in NGN40
Digital Signatures and Non-Digital Signatures and Non-RepudiationRepudiation
Requirements– The receiver can verify the claimed identity of
the sender– The sender cannot repudiate the contents of
the message– The receiver cannot sign its own message with
someone else’s signatureThe implementations can be based both on
symmetric- and public-key signatures
Igor Faynberg, Security in NGN41
Non-Repudiation with Non-Repudiation with Symmetric-KeySymmetric-Key Digital Digital SignaturesSignatures
A single third party (Central Authority, A) keeps everyone’s keys
A
X Y
E K(X)(M, Y, RX
, t)
EK(Y) [ M, X, R
X, t’, EK(A) (M, X, t)]
• K(X)—X’s key with A• M—the message from X to Y• Y—the receiver’s identity• RX — a random number• t, t’— timestamps
• K(Y)—Y’s key with A• K(A)—the key only A knows• X—the sender’s identity
Now X cannot deny having sent M to Y!
Igor Faynberg, Security in NGN42
Non-Repudiation with Public-Key Digital Non-Repudiation with Public-Key Digital SignaturesSignatures
Works with any public key algorithm with the property E[D(P)] = P
(RSA is one of them, but there are others)
X Y
S=DPr(X) (M)
• Pu(Y)—Y’s public key• Pr(X)—X’s private key
No third party needed!
M=EPu(X)(S)
Igor Faynberg, Security in NGN43
Non-Repudiation Non-Repudiation andand Confidentiality with Public-Key Confidentiality with Public-Key Digital SignaturesDigital Signatures
Again, use any public key algorithm with the property E[D(P)] = P
X Y
S= EPu(Y) [ DPr(X) (M)]
• Pu(X)—X’s public key• Pr(X)—X’s private key• Pu(Y)—Y’s public key• Pr(Y)—Y’s public key
No third party needed!
M= DPr(Y)[EPu(X)(S)]
Igor Faynberg, Security in NGN44
Some Problems with Public-Key Some Problems with Public-Key Digital SignaturesDigital Signatures
If X discloses his or her private key (or claims that it was stolen), it can no longer be proven that X had sent the message
Ditto if X decides to change his or her keyThe scheme is an overkill (it is slow)
because it combines authentication with confidentiality
An improvement is needed!
(We will start by addressing the last item.)
Igor Faynberg, Security in NGN45
One-Way Functions and One-Way Functions and DigestsDigests
Given an algorithm for computing f(x), it is easy to compute y = f(x) for any x
Given the value of y = f(x), it is hard (i.e., computationally infeasible) to compute x
Given x, it is hard to find t such that f(x)=f(t)– to meet this criterion, the hash should be at least 128 bits long
One-bit change to x produces a very different output, f(x)– to meet this criterion, the algorithm must toss the bits very thoroughly
—quite differently from what symmetric key algorithms do!
Computing and encrypting a message digest is much faster than encrypting the whole text!
Igor Faynberg, Security in NGN46
Digital Signatures with Message Digital Signatures with Message Digest (non-repudiation)Digest (non-repudiation)
(a) D is the private key of the sender (b) The receiver uses the public key of the
sender to check the signature
(b)
The trick: Sign only the digest, not the whole message!
Igor Faynberg, Security in NGN47
Two Popular Message Digest Two Popular Message Digest AlgorithmsAlgorithms
– Message Digest (MD5) (Rivest, 1992)Produces a 64-bit result supercedes the previous four MDs in a
series, but they are all “broken”
– Secure Hash Algorithm (SHA-1) produces a 160-bit resultIs standardized by NIST in FIPS 180-1Is on its way to replace MD5
Igor Faynberg, Security in NGN48
The Birthday AttackThe Birthday Attack
Q: How many people need to be in a room before the probability of having there two people with the same birthday exceeds 1/2?
A: 23
More generally, in matching n inputs with k<n outputs, the probability of two inputs assigned to the same output, a match is likely for n=k1/2. And so, with MD5, one could generate 232 matches and probably get two with the same digest.
Igor Faynberg, Security in NGN49
Back to Problems with Public-Key Back to Problems with Public-Key Digital SignaturesDigital Signatures
If X discloses his private key (or claims that it was stolen), it can no longer be proven that X had sent the message
Ditto if X decides to change his keyThe scheme is an overkill (it is slow) The scheme is an overkill (it is slow)
because it combines because it combines authentication authentication with with confidentialityconfidentiality
An improvement is needed! And then there is a basic problem: Where do I get your public key, and how can I trust the place I get it from?
Igor Faynberg, Security in NGN50
Certificates (Public Key Distribution)Certificates (Public Key Distribution)
To use the public key signature scheme, the sender’s public key must be known
It could be published (on a web site, for example), but then it could also be altered
A common solution is to use certificates:– A sender attaches his or her (name, public key) pair,
digitally signed by the trusted third party —the Certification Authority (CA)
– Once the receiver obtained the public key of CA, the receiver can accept certificates from all senders who use this CA
Igor Faynberg, Security in NGN51
A CertificateA Certificate
Presumably, your computer has been pre-loaded with the SuperCert public key, P so you can always
• Compute the SHA-1 digest D of the declaration part of the certificate
•Verify that D = P(signature)
There is nothing secret about certificates; they can be sent in the open
I, the SuperCert Certification Authority, am delighted to confirm that the public key A789FHAFFDEG8600FFA belongs to Igor FaynbergThe SHA-1 digest of the above, signed with the
SuperCert private key
Igor Faynberg, Security in NGN52
A Different Use of a Certificate: A Different Use of a Certificate: Binding An Attribute to a KeyBinding An Attribute to a Key
I, the SuperCert Certification Authority, am delighted to confirm that person who owns the public key A789FHAFFDEG8600FFA is older than 21, and so you can legally sell him alcohol in New Jersey.The SHA-1 digest of the above, signed with the
SuperCert private key
An important feature: It preserves privacy!
Igor Faynberg, Security in NGN53
Questions:Questions:
What are all the possible formats (of attributes and all), and who could possibly manage them?
How can one CA possibly manage all certificates, and which organization is it anyway?
And suppose everyone trusts this organization, but how could it preserve its single public key from being modified?
Igor Faynberg, Security in NGN54
X.509: A standard for X.509: A standard for certificatescertificates
Contained in ITU-T Recommendation X.509
Igor Faynberg, Security in NGN55
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Schematic descriptionSchematic description
C A 1 .1S u p erC ert
C A 1 .2
R A 1 C A 1 .1 is ap p roved , K ey 5 F 2 A B ...C A 2 .1 is ap p roved K ey A 4 5 6 7 ...>
C A 2 .1
R A 2
C A 3 .1
R A 3
R oot R A 1 is ap p roved , K ey 7 6 F A B F F 8 A ...
R A 2 is ap p roved , K ey: 1 7 A F 6 5 4 ... R A 3 is ap p roved , K ey: 2 F A B C F F ...
RA: Regional Authority
CA: Certificate Authority
: Chain of trust
I, the SuperCert Certification Authority, am delighted to confirm the public key A789FHAFFDEG8600FFA belongs to Igor Faynberg
The SHA-1 digest of the above, signed with the SuperCert private key
Igor Faynberg, Security in NGN56
More on PKIMore on PKI
There are many roots with their own trees. Modern browsers come pre-loaded with over 100 roots known as trust anchors– So, there is no single world-wide authority
Certificates can be stored at the user’s sites, but it would be more convenient (easier to look them up) to use the Domain Name System and store them at DNS sites
Certificates are timed, and they can also be revoked (CAs issue Certificate Revocation Lists [CRLs])
Igor Faynberg, Security in NGN57
Symmetric Key Distribution:Symmetric Key Distribution:Diffie-HellmanDiffie-Hellman revisited revisited
Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time.
Let • p be a large prime• a be an integer relatively prime to p
Pick k1 relatively prime to p-1
pypay k 11 0),(mod1
Pick k2 relatively prime to p-1
pypay k 22 0),(mod2
pKpapyK kkk 0),(mod)(mod 212
1pKpapyK kkk 0),(mod)(mod 121
2 =
Igor Faynberg, Security in NGN58
The Man-in-the-Middle AttackThe Man-in-the-Middle Attack
Establish K 1
Establish K2
Igor Faynberg, Security in NGN59
Avoiding a Man in the Middle:Avoiding a Man in the Middle:Signed Signed Diffie-HellmanDiffie-Hellman
Let • p be a large prime• a be an integer relatively prime to p
Pick k1 relatively prime to p-1
Pick k2 relatively prime to p-1
pKpapyK kkk 0),(mod)(mod 212
1pKpapyK kkk 0),(mod)(mod 121
2
A B
pypay k 11 0),(mod1
pypay k 22 0),(mod2
Signed with A’s private key
Signed with B’s private key
He cannot sign!
Igor Faynberg, Security in NGN60
Authentication ProtocolsAuthentication ProtocolsNeeded for the establishment of sessions (VoIP
conversations [streams and signaling], TCP sessions, etc.)
TextKerberos
Authentication with Public Key Cryptography
HMAC-based protocols
General Rules
Shared-key-based Protocols
KnownPitfalls
Key Distribution Centers
Challenge-Response
Igor Faynberg, Security in NGN61
Introduction of the Key PlayersIntroduction of the Key Players
Alice
Bob
Trudy the Intruder
Igor Faynberg, Security in NGN62
The General ModelThe General Model
Alice starts by sending a message to Bob or to a trusted Key Distribution Center (KDC)
An exchange followsTrudy may intercept, modify, or replay
any message
Igor Faynberg, Security in NGN63
Challenge-Response ProtocolChallenge-Response Protocol(first attempt)(first attempt)
Alice BobA identity
RB Challenge: A nonce --a large random number, not to be repeated
KAB(RB ) Response, encrypted with the shared key
RA
KAB(RA )
Igor Faynberg, Security in NGN64
Challenge-Response ProtocolChallenge-Response Protocol(Can we do this faster?)(Can we do this faster?)
Alice BobA, RA
RB, KAB(RA )
KAB(RB )
No!An improvement:3 instead of 5 messages!
Igor Faynberg, Security in NGN65
The Reflection AttackThe Reflection Attack
TrudyBob
KAB(RB )
First
Session
A, RT
RB, KAB(RT )
A, RB
RB*, KAB(RB )
Second
Session
Igor Faynberg, Security in NGN66
General RulesGeneral Rules
The initiator has to prove its identity before the responder
The initiator and responder must use different keys for proof (a need for two shared keys)
Initiator and responder must draw challenges from different sets (e.g., odd/even)
It must be impossible to use authentication information obtained in one session in a different one
Igor Faynberg, Security in NGN67
But was the First Attempt Really But was the First Attempt Really Faultless?Faultless?
Alice BobA
RA
RB
KAB(RB )
KAB(RA )
A
KAB(RA )
TrudyAlice
B
RA
RA
KAB(RA )
RA*
RA*
KAB(RA* )KAB(RA* )
Now Trudy has two sessions with Alice!
Igor Faynberg, Security in NGN68
A Few ConclusionsA Few Conclusions
The authentication protocols are hard… In the previous example, again the Rules were
violated There is a method of designing protocols of this
kind that are provably correct: R. Bird & al, Systematic Design of a Family of Attack-Resistant Authentication Protocols, IEEE Journal on Selected Areas in Communications, vol. 11, pp. 679-693, June 1993
Igor Faynberg, Security in NGN69
Another Class of Protocols Another Class of Protocols That Work (HMAC)That Work (HMAC)
Hashed Message Authentication Code (HMAC), in general, is the hash (e.g., MD5 or SHA-1) of
(some data + shared key)
Alice Bob
RB , HMAC(RA, RB, A, B, KAB)
RA
HMAC(RA, RB, KAB)
Trudy does not know KAB, and so she cannot compute HMAC!
Igor Faynberg, Security in NGN70
Key Distribution Centers Key Distribution Centers (KDCs)(KDCs)
If a process needs to talk to n other processes, it will need to share n keys. As n grows, key management becomes a burden…
Another approach: Each user has a key shared with KDC, and all authentication and session key management go through KDC
Igor Faynberg, Security in NGN71
Authentication with the Key Distribution Authentication with the Key Distribution Center Center
(First attempt)(First attempt)
I want to use the key K to talk to Bob
A, KA (B, K)
K B(A, K)
Authentication happens automatically:
•KDC knows it is Alice (because of the shared key)
•Bob knows that the message came from KDC (for the same reason)
But there is a big problem here!
Igor Faynberg, Security in NGN72
The Replay AttackThe Replay Attack
Trudy is working for Alice. She knows that today at noon she will transfer her salary into her bank account in Bob’s bank
A, KA(B, K)
KB(A, K)
K(“Transfer $20,000 to Trudy”)
12:00
12:15
KB(A, K)K(“Transfer $20,000 to Trudy”)
Igor Faynberg, Security in NGN73
Solutions to Replay Attack (for KDC Solutions to Replay Attack (for KDC Protocols)Protocols)
Include a timestamp in each message– Problem: Clocks are not exactly synchronized over the
network; the differences can be used to sneak a replay Put a nonce in each message
– Problem: Each party has to remember all previous nonces forever
Combine timestamps with nonces (so as to remember nonces only for maximum misaligned time periods)– Problem: The protocol will become too complex…
Use a multiway challenge-response protocol
Igor Faynberg, Security in NGN74
The Needham-Schroeder The Needham-Schroeder Authentication Protocol (1978)Authentication Protocol (1978)
(After A. Tanenbaum)
But it still has a weakness (possible replay of 3 if plaintext of a previous session is found)!
Igor Faynberg, Security in NGN75
The Otway-Rees Authentication The Otway-Rees Authentication Protocol (1987)Protocol (1987)
This protocol fixes the problem with Needham-Shroeder more elegantly than Needham and Shroeder did (also in 1987)
(After A. Tanenbaum)
Igor Faynberg, Security in NGN76
A Few Notes on KDC IssuesA Few Notes on KDC Issues
KDCs can support hundreds of clients but not millions (scalability)
There is not a single KDC whom all other KDCs trust
There is no standard for inter-KDC communications for cross-realm authentication
Igor Faynberg, Security in NGN77
Authentication with KerberosAuthentication with Kerberos
Kerberos was designed in MIT, and it is based on a variant of Needham-Shroeder– Kerberos V.4 is widely used (for example, in
Microsoft Windows 2000)– Kerberos V.5 is being deployed
Kerberos assumes that all clocks are synchronized
Kerberos modifies the KDC model
Igor Faynberg, Security in NGN78
The Kerberos Model: Three The Kerberos Model: Three ServersServers
Authentication Server (AS)– Authenticates users during the login session– Shares a secret (password) with every user
Ticket-Granting Server (TGS)– Issues proof-of-identity tickets, which convince other
servers that the owners of the tickets are who they claim to be
The real-work server– Does the real work (performs services such as
banking transactions, telephone calls, etc.)
Igor Faynberg, Security in NGN79
Operation of Kerberos (V4) ASOperation of Kerberos (V4) AS
ASKA(KS, KTGS[A, KS])
A
plaintext
Session key To pass to TGS
At this point,
1) Alice is prompted for a password by the client, and this password is used for generating KA, so she obtains the session key and the the ticket for TGS2) The client overwrites the password3) Alice says she wants to use Bob’s services
Igor Faynberg, Security in NGN80
Operation of Kerberos (V4) TGSOperation of Kerberos (V4) TGS
TGS
Now Alice can start talking to the real-work server—Bob
KTGS(A, KS), B, KS (t)
TGS’s secret key
Encrypted timestamp (so that Trudy could not replay the message with a younger timestamp)
KS(B, KAB), KB(A, KAB)
Session key for talking to Bob Ticket to Bob
Igor Faynberg, Security in NGN81
Operation of Kerberos (V4) ServerOperation of Kerberos (V4) Server
Server
KAB(t+1)
Timestamped proof of Bob’s identity (Trudy could not do that!)
Now Alice can work with Bob, but if she needs to change to another real-work server, she just restarts with the request to TGS (no passwords are ever transmitted)
Encrypted timestamp
KB(A, KAB), B, KAB (t)
Ticket to Bob
Igor Faynberg, Security in NGN82
AS
TGS
Servers
Kerberos RealmsKerberos Realms
AS
TGS
Servers One can ask TGS for a ticket to a server in another realm
Igor Faynberg, Security in NGN83
Authentication with Public Key Authentication with Public Key Cryptography: A Naïve “Solution”Cryptography: A Naïve “Solution”
A
R
PrA(R)
…R = “I, undersigned Alice, owe Trudy $100,000”or
R=encrypted message from Bob
Igor Faynberg, Security in NGN84
Authentication with Public Key Authentication with Public Key CryptographyCryptography
PKI Directory
Bob’s
Public
Key
?
E B
EB (A, RA)
Alice’s Public Key?E
A
Proof of freshness and Bob’s identity
EA (RA, RB, KS)
KS (RB)
Igor Faynberg, Security in NGN85
Communication Security Overview Communication Security Overview
TextS/MIME
TSL/SSLDNSsec
Secure File Systems
Mobile code security
FirewallsPGPIPsec/VPNs
Igor Faynberg, Security in NGN86
Network Security in the Protocol Network Security in the Protocol StackStack
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer: firewalls help with limited success
Link Layer: nothing needs to be done, if it is really point-to-point; otherwise, use link encryptionPhysical Layer: Prevent wiretapping by enclosing transmission lines in sealed tubes containing argon at high pressure monitored by an alarm
Encrypt the whole session
Application-specific protocols
Igor Faynberg, Security in NGN87
Two Views in the Internet CampTwo Views in the Internet Camp
Security must be end-to-end, and for this reason alone must be implemented in the Application Layer (which will make plaintext unavailable to operating systems)
Problem: Then all applications must be re-written and… how many people really understand security to rewrite them?
Security must be implemented in the Network Layer without users ever approaching it!
Problem: Even though this view has prevailed, a truly network-layer implementation proved to be impossible, and Internet principles had to be violated.
Igor Faynberg, Security in NGN88
IP Security Protocol (IP Security Protocol (IPsecIPsec))
IPsec is a framework for multiple Services
– confidentiality, integrity, protection from replay—among the major ones
Algorithms– to make it algorithm-independent (and there is a Null
algorithm) Granularities
– from a single TCP connection to an aggregate
IPsec is… connection-oriented!
Igor Faynberg, Security in NGN89
Security Association (SA)Security Association (SA)
SA is a simplex connection identified by Security Parameters Index (SPI) carried by all packets
SA is needed because – a key must be used for some period of time—
the duration of the connection– the set up time is amortized among many
packets
Igor Faynberg, Security in NGN90
Establishing an SAEstablishing an SA
This involves– Authenticating both ends– Establishing the key– Agreeing on cryptographic algorithms– Initializing the sequence number (which will
run through the life of the association)– Establishing SPI
Igor Faynberg, Security in NGN91
Two Parts of Two Parts of IPsecIPsec
The Internet Security Association and Key Management Protocol (ISAKMP) deals with establishing symmetric keys– The main protocol is called Internet Key Exchange
(IKE). It has problems, and it is being replaced by IKE2
The other part deals with the headers defined for the two modes of IPsec operation– Transport mode and– Tunnel mode
Igor Faynberg, Security in NGN92
Transport- and Tunnel ModesTransport- and Tunnel Modes
Transport mode
IP header IPsec header IP payload
Via the Protocol field
Tunnel mode
IP packetNew IP header
Useful for 1) terminating at other than end-user locations (e.g., firewalls) and 2) aggregation to prevent traffic analysis
Igor Faynberg, Security in NGN93
Two (Historical) HeadersTwo (Historical) Headers
The Authentication Header (AH) deals only with integrity checking but not confidentiality; hashed message authentication code (HMAC) integrity check covers only immutable IP fields (not TTL)
The Encapsulating Security Payload (ESP) supports both HMAC integrity and full confidentiality. In a way, it makes AH superfluous
Igor Faynberg, Security in NGN94
Authentication Header (AH)Authentication Header (AH) (IPv4 Transport Mode) (IPv4 Transport Mode)
Stores the value that IP Protocol field had
Number of 32-bit words in AH minus 2
The “virtual circuit number” associated with the shared key
Runs for the life of the SA
Payload + key, signed
(After A. Tanenbaum)
Igor Faynberg, Security in NGN95
Encapsulating Security Payload Encapsulating Security Payload (ESP) Header(ESP) Header
Transport mode
Tunnel Mode
32 bits
Security Parameters IndexSequence Number
Initialization vectorfor encryption
Trails to help hardware run all bits through before the calculation
(After A. Tanenbaum)
Igor Faynberg, Security in NGN96
Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)
(After A. Tanenbaum)
Before After
Igor Faynberg, Security in NGN97
FirewallsFirewalls
While IPsec protects the data in transit, it does nothing to keep bad bits out
Firewalls are supposed to do that. The combine– An outgoing layer 3 packet filter– An incoming layer 3 packet filter– An application gateway to carefully check
(wherever possible) application data
Igor Faynberg, Security in NGN98
Firewalls (cont.)Firewalls (cont.)
Igor Faynberg, Security in NGN99
What Firewalls Cannot DoWhat Firewalls Cannot Do
Deal with encrypted traffic or examine and restrict graphic (or video or .wav) content
Prevent attacks from inside (and this is 70% of all attacks!)
Prevent the Denial of Service (DoS) attacks—especially the Distributed DoS, from several different sources
Interwork well with real-time multimedia services (VoIP including) because of the dynamic port allocation by the Real Time Transport Protocol (RTP)
Igor Faynberg, Security in NGN100
E-Mail SecurityE-Mail Security
There are two systems:Pretty Good Privacy (PGP)
andSecure Multipurpose Internet
Mail Extensions (S/MIME)
Igor Faynberg, Security in NGN101
PGPPGP
Uses International Data Encryption Algorithm (IDEA) with 128-bit keys
Is a one-man (Phil Zimmermann) show Has an interesting history (Zimmerman had been
investigated for five years for “exporting munition”)
Supports text compression, confidentiality, digital signatures
Provides extensive key management facilities Takes plaintext as input and produces a base64-
encoded ASCII string as output
Igor Faynberg, Security in NGN102
How PGP WorksHow PGP WorksBased on random input from Alice
(After A. Tanenbaum)
Igor Faynberg, Security in NGN103
A PGP MessageA PGP Message
After A. Tanenbaum
Igor Faynberg, Security in NGN104
S/MIMES/MIME
Is similar to but more structured than PGPUses triple-DES rather than IDEAUses X.509 certification for keysAllows multiple trust anchorsReplaces an earlier IETF standard called
Privacy Enhanced Mail (PEM), which had specified a rigid certification system with one anchor. No one used it.
Igor Faynberg, Security in NGN105
Web Security IssuesWeb Security Issues
1. Secure Naming2. Secure Connections3. Secure mobile code
Igor Faynberg, Security in NGN106
Secure Naming: ThreatsSecure Naming: Threats
www.bob.com
42.9.9.936.1.2.3
DNS Server
www.bob.com: 36.1.2.3 42.9.9.9
Poisoned Cache
Igor Faynberg, Security in NGN107
Secure DNS (DNSsec)Secure DNS (DNSsec)
All information sent by a DNS server is signed with the originating zone’s private key (proof of origin)
Both requests and transactions are authenticated making spoofing and replay impossible
DNSsec relies on PKI for key distribution
Igor Faynberg, Security in NGN108
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Was first developed in 1995 by Nestcape and now widely used everywhere
Builds a secure connection between two sockets (application process’ endpoints)– Parameter negotiation between client and server– Mutual authentication– Confidentiality– Data integrity protection
Has evolved into the IETF Transport Layer Security TSL standard (which is stronger than SSL but has not been yet deployed)
Igor Faynberg, Security in NGN109
Position of the SSL/TSL in the Position of the SSL/TSL in the OSI Reference ArchitectureOSI Reference Architecture
Application Layer HTTPS (no change to HTTP!)
Presentation Layer
Session Layer
Transport Layer
Network Layer
Link Layer
Physical Layer
SSL/TSL
Igor Faynberg, Security in NGN110
SSL/TSL Connection EstablishmentSSL/TSL Connection Establishment
SSL version, preferences (cryptographic
algorithms, compression), nonce RClient
SSL version, choices, nonce RServer
Certificate with Public key EServer, X.509 trust chain
Eserver(384 bit pre-master key—randomly chosen)
Compute session key
KS(Eserver, Rclient , RServer)
Compute session key
KS(Eserver, Rclient , RServer)
End
ACK
Client
Server
Igor Faynberg, Security in NGN111
The Rest of the SSL/TSL SessionThe Rest of the SSL/TSL Session
Unit 1 Unit 2 … Unit n
Unit 1
Compression (if agreed on)
Unit 1
?#@18*99&^%$
Everything is encrypted using KS
?#@18*99&^%$Header
Transport header is attached
HMAC is added (KS and pre-master key are concatenated with the unit, and the result is hashed)
Unit 1
Igor Faynberg, Security in NGN112
Mobile CodeMobile Code
Java applets, ActiveX controls, and JavaScripts present a massive security risk
How are they handled?– Sandboxes for not trusted Java applets– Digital signatures accompanying ActiveX
controls. An extremely dangerous technique proven to have a disastrous potential!
– Nothing for JavaScripts (remain very dangerous)
Igor Faynberg, Security in NGN113
Social IssuesSocial Issues
PrivacyFreedom of speechCopyrightCovert communications
(steganography)Use of steganography to protect
copyright
Igor Faynberg, Security in NGN114
PrivacyPrivacy The Fourth Amendment to the US Constitution
prohibits searching people’s houses, papers, and effects without a search warrant
Strong cryptography (like PGP’s) provides privacy to every user, including criminals, spies, and terrorists—so their correspondence cannot be perlustrated even in place of search warrants
Lawful intercept is an essential self-protection task of every state, however
Many countries (e.g., France up to 1999) used to forbid the encryption unless all cryptographic keys are placed in escrow with their governments
Igor Faynberg, Security in NGN115
E-mail privacy (Anonymous Re-E-mail privacy (Anonymous Re-mailers)mailers)
Initially, the anonymous Type 1 re-mailers kept the trace of correspondents. Consequently, under the order of a court, an anonymous re-mailer had to disclose the true identity of a sender who was sued
The new re-mailers (cyberpunk re-mailers) are not supposed to keep any trace of anything
Igor Faynberg, Security in NGN116
How Re-mailers WorkHow Re-mailers Work
ES ( To: Bob
Message )
To: S.address
Public Key ES
SS
From: AnonymTo: BobMessage
Igor Faynberg, Security in NGN117
Chaining Re-mailers Chaining Re-mailers
Public Key E3
SS3)
E3 ( To: Bob
Message )
To: S3.address
E2
(
)
E1
( To: S2.address
From: Alice
To: S1.address
Public Key E1
SS1
Public Key E2
SS2
E3 ( To: Bob
Message )
To: S3.address
E2
(
)
To: S2.address
From: Anonym
To: BobMessage
E3 (To: Bob
Message )
To: S3.address
Igor Faynberg, Security in NGN118
Re-mailers Protect Anonymity, Re-mailers Protect Anonymity, but…but…
They aid –Mail spam and
–Phishing
By the way, not only e-mail servers provide anonymity; there are also HTTP anonymizers
Igor Faynberg, Security in NGN119
Freedom of SpeechFreedom of Speech
Censorhip is its opposite Materials that a government may choose to ban
from web sites include pornography, hate, manuals for building weapons, etc.
But a particular server may reside in a country that does not restrict specific materials that are banned by another country
Since the prosecuting country often has no jurisdiction in such cases, little can be enforced
The Internet, in general, opposes any censorship
Igor Faynberg, Security in NGN120
SteganographySteganography((στεγανω γραφ: στεγανω γραφ: covered covered writing)writing)
The color image uses 1024 * 769 picture cells (pixels)
Each pixel consists of three 8-bit numbers (RGB): {red intensity, green intensity, blue intensity}
Stealing one bit from each color (7-bit color is practically undistinguishable from 8-bit color), one gets 1024*769*3/8 = 294,912 bytes to store secret information (which can also be compressed and encrypted)
It is even simpler with black-and-white photography
Igor Faynberg, Security in NGN121
SteganographySteganography
http://www.jjtc.com/Security/stegtools.htmhttp://www.spychecker.com/program/stool
s.htmlUsing S-tools (Steganography tools for
Windows) by A. Brown
Steganography also works with digital audio (e.g., .wav) files
Igor Faynberg, Security in NGN122
Steganography DemoSteganography Demo
M. A. Bulgakov M. A. Bulgakov and an excerpt from a draft of “Master and Margarita”
Igor Faynberg, Security in NGN123
CopyrightCopyright Copyright is the granting to the creators of
intellectual property—writers, artists, composers, etc.—the exclusive right to exploit it
Many on the Internet have been violating copyright by making copyrighted material available to others
Lawmakers, lawyers, and various industries are very busy balancing the economic interests of copyright owners and the public
Steganography provides an excellent watermarking tool that allows to enforce prosecution of certain violations (e.g., plagiarism)
Igor Faynberg, Security in NGN124
Limited BibliographyLimited Bibliography
K. H. Rosen, Elementary Number Theory and Its Application, 3rd Edition, Addison Wesley, 1993
A. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, 2003
C. Kaufman, R. Perlman, and M. Speciner, Network Security, 2nd Edition, Prentice Hall, 2003
www.ietf.org www.itu.int (Go to the SG 17 site for security; SG
13 and FG NGN, for NGN) www.iso.org (Look for ISO/IEC JTC1 SC 27)